General
-
Target
29b696e52617c9ba497c46dcaef7e16a_JaffaCakes118
-
Size
781KB
-
Sample
240707-efdbcavgrf
-
MD5
29b696e52617c9ba497c46dcaef7e16a
-
SHA1
77167284d860c29877042b22ecaab5eb5a1c0ca9
-
SHA256
caa071247285e459abe7707038e3353e1259d3a3e25acac07c7240f3637de402
-
SHA512
4144c65cf1c61600abe9ddb2e9b5bfa519147cd943a394e471b4c7bc1956c705a997f3f48444640ac47905545f036460228e0de533b075a368a22b50659c4385
-
SSDEEP
24576:563ZPT//Dsup8DUBySBthO6i/q1uHUvDbE:Iz/w+pySLhQqkmbE
Malware Config
Targets
-
-
Target
29b696e52617c9ba497c46dcaef7e16a_JaffaCakes118
-
Size
781KB
-
MD5
29b696e52617c9ba497c46dcaef7e16a
-
SHA1
77167284d860c29877042b22ecaab5eb5a1c0ca9
-
SHA256
caa071247285e459abe7707038e3353e1259d3a3e25acac07c7240f3637de402
-
SHA512
4144c65cf1c61600abe9ddb2e9b5bfa519147cd943a394e471b4c7bc1956c705a997f3f48444640ac47905545f036460228e0de533b075a368a22b50659c4385
-
SSDEEP
24576:563ZPT//Dsup8DUBySBthO6i/q1uHUvDbE:Iz/w+pySLhQqkmbE
Score10/10-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1